A REFINEMENT OF KOBLITZ'S CONJECTURE 



DAVID ZYWINA 



Abstract. Let E be an elliptic curve over the number field Q. In 1988, Koblitz conjectured an 
asymptotic for the number of primes p for which the cardinality of the group of Fp-points of E 
is prime. However, the constant occurring in his asymptotic does not take into account that the 
distributions of the \E{¥p) \ need not be independent modulo distinct primes. We shall describe a 
corrected constant. We also take the opportunity to extend the scope of the original conjecture to 
ask how often \E{¥p)\/t is prime for a fixed positive integer t, and to consider elliptic curves over 
arbitrary number fields. Several worked out examples are provided to supply numerical evidence 
for the new conjecture. 



1. Introduction 

Motivated by applications to elliptic curve cryptography and the heuristic methods of Hardy and 
Littlewood [HL23], N. Koblitz made the following conjecture: 

Conjecture 1.1 ([Kob88, Conjecture A]). Let E be a non-CM elliptic curve defined over Q with 
conductor Ne- Assume that E is not Q-isogenous to a curve with nontrivial Q-torsion. Then 

X 

\{p < X prime : p f Ne, \E(¥p)\ is prime}\ ~ Ceti ^ 

(log x)^ 

as x —> oo, where Ce is an explicit positive constant. 

However, the description of the constant in [Kob88] is not always correct (and more seriously, 
our corrected version of the constant is not necessarily positive). The additional phenomena that 
needs to be taken into account is that the divisibility conditions modulo distinct primes, unlike 
the more classical cases considered by Hardy and Littlewood, need not be independent. Lang and 
Trotter have successfully dealt with this non-independence in their conjectures [LT76]. A similar 
modification was required for the original constant of Artin's conjecture; see [Ste03] for a nice 
historical overview. 

1.1. An example. As an illustration, consider the following example kindly provided by N. Jones. 
Let E be the elliptic curve over Q defined by the Weierstrass equation = + 9x + 18; this curve 
has conductor 2'^3^, and is not isogenous over Q to an elliptic curve with non-trivial Q-torsion. 
Conjecture 1.1 predicts that |£^(Fp)| is prime for infinitely many primes p; however for p > 5, 
\E{¥p)\ is always composite! 

For a positive integer m, let be the density of the set of primes p for which |£'(Fp)| is 
divisible by m; intuitively, we may think of this as the probability that m divides [.©(Fp)] for 
a "random" p. We can compute these "dm by applying the Chebotarev density theorem to the 
extensions Q(£'[m])/Q, where Q{E[m]) is the extension of Q generated by the coordinates of the 
m-torsion points of E. For our elliptic curve, we have ??2 = 2/3 and "i^a = 3/4. It is thus natural to 
expect that ??6 = '&2^3 = 1/2 (i.e., that the congruences modulo 2 and 3 are independent of each 
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other); however, one actuahy has ??6 = 5/12. The inclusion-exclusion principle then tells us that 
the "probability" that |-E(Fp)| is relatively prime to 6 is 1 — t?2 — 'i^s + ^^e = 0. 

This lack of independence is explained by the observation that Q{E[2]) and Q(£'[3]) are not 
linearly disjoint over Q. They both contain Q(i): 

• The point {x,y) = (— 3,6i) in E{Q{i)) has order 3, so Q(£'[3]) contains Q(i). If p splits 
in (i.e., p = 1 mod 4), then (— 3, 6i) will give a point in E{¥p) of order 3; hence 
|£;(Fp)| = mod 3. 

• The points in E[2\ — {0} are of the form (x,0), where x is a root of + 9x + 18. The 
discriminant of this cubic is A = -2^3^, so Q(-E[2]) contains Q{^/A) = Q(z). If p > 3 is 
inert in Q(i) (i.e., p = 3 mod 4), then A is not a square modulo p and one checks that 
E(¥p) has exactly one point of order 2; hence |£'(Fp)| = mod 2. 

For p > 5, we deduce that |i?(Fp)| is divisible by 2 or 3. Therefore |£'(Fp)| is prime only in the case 
where it equals 2 or 3 (which happens for p = 5 when |£'(F5)| = 3). 

It is now natural to ask if |£'(Fp)|/3 (or |ii^(Fp)|/2) is prime for infinitely many p7 Our refine- 
ment/generalization of Koblitz's conjecture predicts that the answer is yes, and we will supply 
numerical evidence in §6. 

1.2. The refined Koblitz conjecture. Before stating our conjecture, we set some notation that 
will hold throughout the paper. For a number field K, denote the ring of integers of K by Ok, and 
let T,K be the set of non-zero prime ideals of Ok- For each prime p € T,k, we have a residue field 
Fp = Ok/P whose cardinality we denote by N{p). Let S_r-(x) be the (finite) set of primes p € T,k 
with iV(p) < X. 

For an elliptic curve E over K, let Se be the set of p G Tik for which E has bad reduction. For 
p E Hk — Se, let E(¥p) be the corresponding group of Fp-points (more precisely, the Fp-points of the 
Neron model M/Ok over E/K). For a field extension L/K, we will denote by El the corresponding 
base extension of E. 

Conjecture 1.2. Let E be an elliptic curve defined over a number field K, and let t be a positive 
integer. Then there is an explicit constant CE,t ^ such that 

PeAx) ■■= \{P G ^k{x) - Se : \E{¥p)\/t is a prime}\ ~ CE,t ^ 

as X —> oo. 

If CE,t = 0, then we define the above asymptotic to mean that Pe^x) is bounded as a function 
of X (equivalently, that |£'(Fp)|/t is prime for only finitely many p E T^k — Se)- Our constant Ce^i 
will be described in §2. 

The expression C^;^* x/(log x)^ in Conjecture 1.2 has been used for its simplicity. The heuristics 
in §2.4 suggest that the expression 

1 du 
log(u + 1) — log t log u 

will be a better approximation of PE,t{x), and this is what we will use to test our conjecture. 
We will not study the error term of our conjecture (i.e., the difference between PE,t{x) and the 
expression (1.1)), though we remark that our data suggests that it could be O(x^) for any 9 > 1/2. 

1.3. Overview. In §2, we describe the constant Ce^i occurring in Conjecture 1.2. We shall express 
the constant in terms of the Galois representations arising from the torsion points of our elliptic 
curve. To have a computationally useful version, we treat separately the CM and non-CM cases. In 
§2.4 we give a brief heuristic for our conjecture. In §3, we describe the common factor tE all the 
|£'(Fp)|. It is of course necessary to have tE divide t for Conjecture 1.2 to be interesting. In §4, we 
calculate Ce,i assuming that -E/Q is a Serre curve. In §5~8, we consider four specific elliptic curves. 
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(1.1) 



Ce.i 



t+i 



We describe the Galois action on their torsion points, compute constants CE,t for interesting t, and 
then supply numerical evidence for Conjecture 1.2. In the final section, we describe some of the 
partial progress that has been made on Koblitz's conjecture in the last decade. 

Acknowledgments. Thanks to Nathan Jones for comments and providing the example in §1.1. 
Special thanks to Chantal David and Bjorn Poonen. The experimental evidence for our conjec- 
ture was computed using PARI/GP [PG08]. We also used Magma [BCP97] to check some group 
theoretic claims and Maple to approximate integrals. This research was supported by an NSERC 
postgraduate scholarship. 



2. The constant 

Throughout this section, we will fix an elliptic curve E defined over a number field K and a 
positive integer t. The letter i will always denote a rational prime. 

2.1. Description of the constant. To understand the divisibility of the numbers |i?(Fp)|, it is 
useful to recast everything in term of Galois representations. For each positive integer m, let E[m] 
be the group of m-torsion in E{K), where X is a fixed algebraic closure of K. The natural Galois 
action induces a representation 

Prr,: Gal{K/K) Aut(SH) 

whose image we will denote by G{m). Let K{E[m]) be the fixed field of ker(/?m) in K; so pm 
induces an isomorphism Gsi\{K [E[m]) / K) — > G{m). If p G — Se does not divide m, then pm 
is unramified at p (i.e., p is unramified in K{E[m])) and pm(Frobp) will denote the corresponding 
Frobenius conjugacy class in G{m). Note that the notation does not mention the curve E which 
will always be clear from context. 

The group E[m\ is a free Z/mZ-module of rank 2; a choice of Z/mZ-basis for E[m\ determines an 
isomorphism Aut(i?[m]) = GL2(Z/mZ) that is unique up to an inner automorphism of GL2(Z/mZ). 
For a prime ideal p G — Se with p f m, we have a congruence 

\E{¥f)\ = det(I - pm{Fmhp)) mod m. 

For m > 1, define the set 

(2.1) ^t(m) = {Ae Aut(£;H) : det(I - A) G t • (Z/mZ)^}. 
Thus for a prime p £ T,k — Se with p \ m, we have 

(2.2) \E{¥p)\/t is invertible modulo — — — if and only if pm(Frobp) C G{m) n ^t{m). 

In particular, \E(¥p)\/t is an integer if and only if pt(Frohp) C G{t) n "^tit)- Define the number 

\G{m) n ^'f(m)| 



SE,t{'m) :-- 



\G{m)\ 



By (2.2) and the Chebotarev density theorem, dE.tiTn) is the natural density of the set of p G 
Tix — Se for which |i?(Fp)|/t is invertible modulo m/gcd(m,t). The connection with Conjecture 1.2 
is that if |£'(Fp)|/t is a prime number, then it is invertible modulo all integers m < \E{¥p)\/t. 

Definition 2.1. With notation as above, define 

6E,t{'m) 



Ce± ■= lim 



where the hmit runs over all positive integers ordered by divisibility; this is our predicted constant 
for Conjecture 1.2. An equivalent definition is 

CE,t = hm ~, 

since for m divisible by tJlfit^' have 6E,t{'m) = '^£,t(*nf|m,^)- 

We shall see in §2.2 and §2.3, that the limits of Definition 2.1 do indeed converge, and hence CE,t 
is well-defined. It will also be apparent that CE,t = if and only if 5E,t{m) = for some m; this 
gives the following qualitative version of our conjecture: 

Conjecture 2.2. Let E he an elliptic curve over a number field K , and let t he a positive integer. 
There are infinitely many p G S/^ for which \E{¥p)\/t is prime if and only if there are no "congru- 
ence obstructions" , i.e., for every m > 1 there exists a prime p G S^- — Se with p f m such that 
\E{¥p)\/t is invertible modulo m. 

2.2. The constant for non-CM elliptic curves. The following renowned theorem of Serre, gives 
the general structure of the groups G{m). 

Theorem 2.3 (Serre [Ser72]). Let E/K be an elliptic curve without complex multiplication. There 
is a positive integer M such that if m and n are positive integers with n relatively prime to Mm, 
then 

G{mn) = G{m) x A.ui{E[n]). 

Proposition 2.4. Let E/K be an elliptic curve without complex multiplication, and let t be a 
positive integer. Let M he a positive integer such that 

'^(*n^)='^(^ n ^) ^ n ^^k^ii]) 

e\tm e\tgcd{M,m) t\m,t\tM 

for all (squarefree) m (in particular, one can take M as in Theorem 2.3). Then 

n.iu/(i - 1/^) |i V (£-1)3(^+1) 

Proof. Let Q be a real number greater than tM. From the assumption of the proposition, we have 

t\tM,t<Q 

Therefore 



e'itM,e<Q 



and hence 



For any i f tM, we have 

|{^GGL2(F^):det(/-A) = 0}| 



SE,m = 1 



|GL2(F,)| 

E\{A £ GL2(F£) : the eigenvalues of A are 1 and a}\ 
. \Gum\ 



and by Lemma 2.5 below, 



6Et{^) f-i-l 

A easy calculation then shows that — ■ — 7- = 1 — -177- 7. Substituting this into (2.3), gives 

l-l/e (£-1)3(^ + 1) ^ V 



Letting Q — > +cx), we deduce that the limit defining Ce^i is convergent and that it has the stated 
value. □ 

Lemma 2.5. For a G , 




\{A G GL2(F^) : the eigenvalues of A are 1 and a}\ = 

Proof. This follows easily from Table 12.4 in [Lan02, XVIII], which describes the conjugacy classes 
ofGL2(F^). □ 

Remark 2.6. For later reference, we record the following numerical approximation: 

n/ — p — \ \ 
1 - 7 ~ 0.505166168239435774. 



(^-1)3(^+1) 

So to estimate Ce^i-, it suffices to find M and then compute 5E,t{^Wi\tM 

2.3. The constant for CM elliptic curves. Let E be an elliptic curve over a number field K 
with complex multiplication, and let R = End(£'j^). The ring R is an order in the imaginary 
quadratic field F := R ®i Q. 

For each positive integer m, we have a natural action of R/mR on £'[m]. The group E[m] is a 
free i?/mi?-module of rank 1, so we have a canonical isomorphism Aut/j/^fl(£^[?7T,]) = {R/mR)^ . 
If all the endomorphism of E are defined over K, then the actions of R and Gal{K / K) on E\rn\ 
commute, and hence we may view pm{Gal{K/K)) as a subgroup of {R/mR)^ . 

Proposition 2.7. Let E he an elliptic curve over a number field K with complex multiplication. 
Assume that all the endomorphisms in R = End(£'j^) are defined over K . There is a positive 
integer M such that if m and n are positive integers with n relatively prime to Mn, then 

G{mn) = G{m) x (R/nR)''. 

Proof. (For an overview and further references, see [Ser72, §4.5]) For a prime i, define Ri = R(E>z'^£ 
and Fl = F (^q Q^. Let T^{E) be the £-adic Tate module of E (i.e, the inverse limit of the groups 
£/[£*] with multiplication by I as transition maps). The Tate module Ti{E) is a free i?^-module 
of rank 1 (see the remarks at the end of §4 of [ST68]); we thus have a canonical isomorphism 
A\\iii^{Ti{E)) = Rf . The actions of Gsl{K / K) and Ri on Ti{E) commute with each other (since we 
have assumed that all the endomorphisms of E are defined over K) . Combining our representations 
P£i gives a Galois representation 

pr- GaliK/K) ^ AutR,{Ti{E)) = Rf. 

The theory of complex multiplication implies that the representation 

p:=l[pe: Gb1{K/K) ^ J] R"^ 



has open image; our proposition is an immediate consequence. 



We now describe the representation p in further detail (this will be useful later when we actually 
want to compute a suitable M). Since the endomorphism in R are defined over the action of R 
on the Lie algebra of E gives a homomorphism R ^ K. This allows us to identify F with a subfield 
of K. By class field theory, we may view as a continuous homomorphism / — > R^ C that 
is trivial on , where / is the group of ideles of K with its standard topology. For each prime i, 
define Kg := K ®% = Hpi^ ^p- -^o^ element a £ I, let ag be the component of a in . From 
[ST68, §4.5 Theorems 10 & 11], there is a unique homomorphism e: / — > F^ such that 

pe{a) = e{a)NK^/Fi{<h^) 
for all I and a £ I. The homomorphism e is continuous and e{x) = x for all x G . 

Since e is continuous, there is a set 5 C Yik such that e is 1 on Wp^Y^n-s^i ^ — '^SiCt^ we 
may take S = Se- Let M be a positive integer such that 

• ^Ki/Fi ■■ {Ox^'^iV ^ Rf IS surjective for alH f M. 

• E has good reduction at all p G for which p \ M . 

Take any b = (be) £ Rf with bi = 1 for ah i\M. For each i, there is an £ (Ok Z^)"" ^ 
such that N^^ip^^aJ^) = be. Let a be the corresponding element of / with archimedean component 
equal to 1. Then 

Since (be) was an arbitrary element of Rf with be = I for £\M, we conclude that p(Gal(K / K)) ^ 
{1} ^ Y\e-\Ai ^e- Our M thus agrees with the one in the statement of the propostion. □ 

Proposition 2.8. Let E be an elliptic curve over a number field K with complex multiplication. 
Assume that all the endomorphisms in R = End(£^^) are defined over K . Let x be the Kronecker 
character corresponding to the imaginary quadratic extension F = R(SiQ. o/Q- Let M be a positive 
integer as in Proposition 2. 7 which is also divisible by all the primes dividing the discriminant of 
F or the conductor of the order R. For any positive integer t, we have 



n' .n _im " 11 V 



n,|,M(i-i/^) ^^■^'(i-x(m^-i) 

Proof. Let Q be a real number greater than tM. By Proposition 2.7, we have 



Therefore 



and hence 



ie<Q ' ' i-i-i\tM 



l\tM/<Q 



, . ^E,t{tIil<Q^) _ ^E,t{t\{e\tM^) 5E,t(£) 

^ ■ ^ n.<Q(i - 1/^) n.i*M(i - 1/^) 1-1/^- 

Now take any l\tM. Under the identification Aut^/^j^(^[^]) = (R/IRY, for a £ (lURY we find 
that det(/ — a) agrees with A^(l — a) where is the norm map from R/£R to TLjiTL. We then have 

_ \{a £ (R/IRY : N(l - a) £ (Z/£Z)^}| _ \{a £ (R/IRY : I - a £ (R/IRY]\ 

\(R/iRY\ ~ \(R/iRY\ 



From our assumptions on M, (. is unramified in F and R/IR = OpjlOp. One can then verify that 
|(Oi./^0,.)x| = (£-l)(£-xW), and 

\{a^{PFliOFY : 1-aG (Of/^Oi.)X}| =£2 - (^(£)(£_2) + (^-l)). 
An easy calculation then shows ~^ ~ x(^) ■ Substituting this into (2.5), gives 



1 - 1 

Letting Q — > +oo, we deduce that the limit defining Ce^i is (conditionally) convergent and has the 
stated value (the convergence can be seen by a comparison with the Euler product of the L-function 
L(s, x) at s = 1 which converges to a non-zero number). □ 

2.3.1. Case where not all the endomorphisms are defined over base field. Let's now consider the 
case where not all the endomorphisms of E over K. Choose an embedding F <^ K. The endo- 
morphisms of E are defined over KF, and KF is a quadratic extension of K. We break up the 
conjecture into two cases. 

Primes that split in KF. Let p € J^k — Se be a prime ideal that splits in KF; i.e., there are two 
distinct primes *Pi,*P2 G ^kf lying over p. The maps E{¥p) — > £'(Fsp.) are group isomorphisms. 
So we have 

|{p G ^k{x) - Se -.p splits in KF, \E{¥p)\/t is prime}] 
=^|{*P G J:kf{x) - Se,,^ : \E{¥^)\/t is prime}| + 0{^) = ^P£,,^,t(x) + O(V^) 
Therefore Conjecture 1.2 implies that 

(2.6) |{p G 1:k{x) -Se-.P splits in KF, \E{¥p)\/t is prime} | ~ .„ 

2 (logx)^ 

as X — > oo, and the constant CE^p^t can be computed as in Proposition 2.8 (if Cej^p^i = 0, then 
there is a congruence obstruction and the left hand side of (2.6) is indeed bounded). 

Primes that are inert in KF. Let p G Tik — Se be a prime that is inert in KF; i.e., pOkf is a 
prime ideal of Okf- For these primes we always have |S(Fp)| = A^(p) -|- 1, so 

|{p G T.k{x) - S'e; : P is inert in KF, \E{¥p)\/t is prime}] 
= ]{p G T.k{x) : p is inert in KF, (iV(p) + l)/t is prime}] + 0(1); 

Our conjecture combined with the split case above imply that 

(2.7) ]{p G T.k{x) : p is inert in KF, {N{p) + l)/t is prime}] ~ C- 



(log xY 

as X ^ oo where C = CE,t — CEjip,t/'^- We can also give the more intrinsic definition 



C = lim „ 

m<Q(l - 1/^) 



where 5[{m) is the density of the set of p G Tjk for which p is inert in KF and (-/V(p) + l)/t is 
invertible modulo m/ gcd{t, m). The asymptotics of (2.7) depends only on K and KF, and not the 
specific curve E; we will not consider this case any further. 
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2.4. Heuristics. We will now give a crude heuristic for Conjecture 1.2 (one could also give a more 
systematic heuristic as in [LT76]). 

The prime number theorem states the number of rational primes less than x is asymptotic to 
j;/ log X as j; ^ oo. Intuitively, this means that a random natural number n is prime with probability 
1/log n. This probabilistic model, called Cramer's model, is useful for making conjectures. Of course 
the event "n is prime" is deterministic (i.e., has probability or 1). 

// the primality of the integers in the sequence {|£'(Fp)|/t}pgs^_5g were assumed to behave like 
random integers, then the likelihood that |£'(Fp)|/t is prime would be 

1 _ 1 

log {\E{Fp)\/t) log(iV(p) + 1) - logt 



(the last line is reasonable because of Hasse's bound, \\E{¥p)\ - {N{p) + 1) < 2y^N(p)). 

However, the |£'(Fp)|/t are certainly not random integers with respect to congruences (in par- 
ticular, they might not all be integers!). To salvage our model, we need to take into account these 
congruences. Fix a positive integer m which we will assume is divisible by tll^ij^- ^'^^ 
finitely many p, if |£'(Fp)|/t is prime then it is invertible modulo m. The density of p G T,x — Se 
for which |i?(Fp)|/t is an integer and invertible modulo m is 5E,t{'m), while the density of the set 
of natural numbers that are invertible modulo m is Il£|m(^ ~ 1/^)- taking into account the 
congruences modulo m, we expect 

5E,t{m) 1 

n,|^(l-l/^) ■log(iV(p) + l)-logi 

to be a better approximation for the probability that |E(Fp)|/t is prime for a "random" p G Tik — Se- 
Taking into account all possible congruences, our heuristics suggest that |£'(Fp)|/t is prime for a 
"random" p G S/^ — Se with probability 

CE,t 

where 



Ce.i = hm 



log(iV(p) + l)-logt 



m<Q(i-i/^)' 

We have already seen that this limit converges. 

Using our heuristic model, the expected number of p G T,k{x) — Se such that |i?(Fp)|/t is prime, 
should then be well approximated by 



^^^^ „ log(Af(p) + 1) - logt ' log(n+ 1) - logtlogu 

N(p)>t 

The restriction of p in the above sum to those with A^(p) > t is included simply to ensure that 
each term of the sum is well-defined and positive. The integral expression follows from the prime 
number theorem for the field K, and is asymptotic to x/ilogx)"^. We can now conjecture that 

1 du 



PE,t{x) ~ CE,t / 
Jt- 



t+i \og{u + l) - logUogM 



as X — > oo. 



Remark 2.9. In the setting of Conjecture 1.1 with t = 1, Koblitz assumed that the divisibility 
conditions were independent and hence his constant was JJ /I 



3. Common factor of the |-E(Fp)| 

Let E be an elliptic curve over a number field K. There may be an integer greater than one 
which divides almost all of the |£'(Fp)|; this is an obvious obstruction to the primality of the values 
|£'(Fp)|. Thus it will be necessary to divide by this common factor before addressing any questions 
of primality. In this section we describe the common factor and explain how it arises from the 
global arithmetic of E. 

The following well-known result says that the i('-rational torsion of E injects into E{¥p) for 
almost all p (for a proof see [KatSl, Appendix]). Define the finite set 

Se ■= Se^ {p ^ : Cp > p — 1 where p lies over the prime p} 
where ep is the ramification index of p over p. 

Lemma 3.1. For all p G T,k — Se, reduction modulo p induces an injective group homomorphism 

E{K)tors ^(Fp). 

In particular, \E{K)toj-s\ divides [^^(Fp)! for all p G T,k — Se- 

The integer |£'(Fp)| is a ii'-isogeny invariant of the elliptic curve E. So for all p G T,k — Se, we 
find that |S(Fp)| is divisible by 

(3.1) tE:=lcmE'\E'{K)tors\, 

where E' varies over all elliptic curves that are isogenous to E over K. One can also show that 

(3.2) tE = ina.XE'\E'{K)tovs\- 

From our discussion above, tE divides |-E(Fp)| for almost all p G T,k (in particular, Conjecture 1.2 
is only interesting when tE divides t). The following theorem of Katz shows that is the largest 
integer with this property. 

Theorem 3.2 (Katz [KatSl, Theorem 2(bis)]). Let T, be a subset ofTix — Se with density 1. Then 

tE = gcd\E{¥p)\. 
pes 

There is an elliptic curve E' which is X-isogenous to E satisfying tE = |-E'(i^)tors|- Thus our 
conjecture with t = tE predicts how frequently the groups £"(Fp)/£^'(K)tors have prime cardinality 
as p varies (this was mentioned by Koblitz in the final remarks of [Kob88] as a natural way to 
generalize his paper). Koblitz's original conjecture was restricted to those elliptic curves over Q 
with tE = 1. 

Remark 3.3. Using the characterization of tE from Theorem 3.2, we can also express tE in terms 
of our Galois representations. It is the largest integer t such that det(/ — Pt{g)) = mod t for all 
9^G{t). 

4. Serre Curves 

4.1. The constant Ce,i for Serre curves. Throughout this section, we assume that E \s a, 
elliptic curve over Q without complex multiplication. For each m > 1, we have defined a Galois 
representation pm'- Gal(Q/Q) Aut(£'[m]). Combining them all together, we obtain a single 
representation 

p: Gal(Q/Q) ^ Aut(^tors) = GL2(Z). 
A theorem of Serre [Ser72] says that that the index of G{m) in Aut(£'[m]) is bounded by a constant 
that depends only on E; equivalently, /)(Gal(Q/Q)) has finite index in GL2(Z). 
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Serre has also shown that the map p is never sm'jective [Ser72, Proposition 22]. He proves this 
by showing that p(Gal(Q/Q)) hes in a specific index 2 subgroup He of Aut(i?tors) (see §4.2 for 
details). Following Lang and Trotter, we make the following definition. 

Definition 4.1. An elliptic curve E over Q is a Serre curve if p(Gal(Q/Q)) is an index 2 subgroup 

of Aut(^tors)- 

Serre curves are thus elliptic curves over Q whose Galois action on their torsion points are as 
"large as possible". For examples of Serre curves, see §5 and [Ser72, §5.5]. Jones has shown that 
"most" elliptic curves over Q are Serre curves [Jon09]. Thus Serre curves are prevalent and we 
have a complete understanding of the groups G{m) (see below); thus they are worthy of special 
consideration. We are particularly interested in Conjecture 1.2 with t = 1. 

Proposition 4.2. Let E/Q be a Serre curve. Let D be the discriminant of the number field Q(\/A) 
where A is the discriminant of any Weierstrass model of E over Q. Then 



The proof of Proposition 4.2 will be given in §4.3. 
Remark 4.3. 

(i) In the paper [Jon09b], Jones studies the constant Ce,i as E/Q varies over certain families 
of elliptic curves. The "main term" of his results comes from the contribution of the Serre 
curves. 

(ii) There are elliptic curves defined over number fields K ^ Q such that p{Ga\{K / K)) = 
Aut(£'tors) is surjective! The first example was give by A. Greicius [Gre07] (also see [Zyw08]). 

4.2. The group He- We shall now describe the desired group He (see [Ser72, p. 311] for further 
details). Let D be the discriminant of the number field L := Q(\/A) where A is the discriminant 
of any Weierstrass model of E over Q (note that L is independent of the choice of model). Define 
the character 



where the first map is restriction. 

The field L is contained in Q(£^[2]). Lete: Aut(£'[2]) —> {it 1} be the character which corresponds 
to the signature map under any isomorphism Aut(i?[2]) = ©3. One checks that X-d('^) = £(/'2(c)) 
for all a E Gal(Q/Q). 

Since L is an abelian extension of Q, it must lie in a cyclotomic extension^ of Q. Set d := \D\; 
it is the smallest positive integer for which L C Q(Cd) where G Q is a primitive d-th root of 
unity. The homomorphism detop^ : Gal(Q/Q) — > (Z/dZ)^ factors through the usual isomorphism 
Gal(Q(Cd)/Q) — > (Z/dZ)^. Thus there exists a unique character a: (Z/dZ)^ {=tl} such that 
X-d(c") = a(detpd(o")) for all a £ Gal(Q/Q). The minimality of d implies that a is a primitive 
Dirichlet character of conductor d. 

Combining our two descriptions of XD, we have e{p2{cr)) = a{det pdicr)) for all a £ Gal(Q/Q). 
Define the integer Me ■= lcm(d, 2), and the group 




mod 4 



mod 4 




Xd: Gal(Q/Q) ^ Gal(L/Q) ^ {±1} 



H{Me) ■■= {g £ Aut{E[ME]) : e{A mod 2) = a{det{A mod d))}. 



This is where the assumption A" = Q is important 
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which has index 2 in Aut{E[ME])- By the above discussion, H{Me) contains G{Me)- The index 2 
subgroup He of Aut(£'tors) mentioned earUer is just the inverse image of H{Me) under the natural 
map Aut(£'tors) Aut(£'[Af£;]), and £' is a Serre curve if and only if /)(Gal(Q/Q)) = He- 

Proposition 4.4. Let E/Q be a Serre curve, and let m be a positive integer. If MeItu, then the 
group G{m) is the inverse image of H{Me) under the natural map Aut(E'[m]) Aut(£'[M£;]). // 
Me \ m, then G{m) = k\ii{E[m]). 

Proof. This is a purely group theoretic statement which we leave to the reader. If a: (Z/dZ)^ 
{±1} is a primitive Dirichlet character, define the group 

H ■.= {Ae GL2(Z) : e{A mod 2) = a(det(A mod d))}. 

The proposition simply says that H mod m = GL2(Z/?nZ) if and only if d\m and 2\m. □ 

4.3. Proof of Proposition 4.2. Let i?/Q be a Serre curve, and keep the notation introduced in 
§4.2. 

Let's first consider the case where D = Q mod 4. The integer Me = d = |-D| is divisible by 4, 
so by Proposition 4.4, we have G{m) = Aut(£'[m]) for all squarefree m. By Proposition 2.4, with 
t = l and M = 1, we have Ce,i = (l " ) • 

We shall now restrict to the case where D = 1 mod 4. In this case, the integer Me = lcm(2, d) = 
2d = 2\D\ is squarefree. By Proposition 4.4, we have G{Me ■ m) = H{Me) x Aut(i?[m]) for all 
squarefree m relatively prime to Me. Thus by Proposition 2.4, with t = 1 and M = Me, we have 

^ |g(ME) n »l'i(A/E)|/|H(Afe)l TT e-t-l 

Since d is odd and a is a quadratic character of conductor d, a is the Jacobi symbol (^). The set 
H{A'Ie) n '^i{Me) then has the same cardinality as the set 

X = {Aci GL2{Z/MeZ) : e{A mod 2) = (^ dct(Amod d) ^ ^ ^^^^j _ ^ (Z/A/^Z)^}. 

Take any element A £ X. Setting A2 ■= A mod 2, we have det(I — A2) = 1 and det(^2) = 1 in 
Z/2Z. The only matrices in GL2(Z/2Z) that satisfy these conditions are: (10) and (? i) - These 
two matrices have order 3 in GL2(Z/2Z), and hence £(^2) = 1- Since d is odd, H{Me) n ^i{Me) 
has twice as many element as the set 

Y = {Ae GL2(Z/dZ) : (^^] = l,det(/- A) G (Z/dZ)^}. 



For each prime i\d, define the sets 

y± := [A e GL2(Z/«) : (^^) = ±1, det(/ - ^) / O}. 

Under the isomorphism GL2(Z/(iZ) = ]^^|^ GL2(Z/^Z), the set Y corresponds to the disjoint union 
of sets: 

u n^T- n n*- 

jc{e:i\d} eeJ e\d,e^j 

J I even 
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Therefore, 



(4.2) \H{Me) n ^,{Me)\ = 2\Y\ = 2 J] i±|^ J] l^^l H l^/l 

=11(1^/1 +i^ri)+n(i^/i-i^ri)> 

£\d e\d 

where is the Mobius function. 
Lemma 4.5. For £\d, 



|GL2(Z/«)|(l-l/£) (£-l)3(£ + l) |GL2(Z/^Z)|(1 - l/£) (£-l)3(£ + l)' 

Proof. We use Lemma 2.5 to compute the \Y^\: 
|y±| = \{A G GL2(Z/^Z) : (^^) = ±1}| - |{^ G GU{'^/m) : (^i^) = ±1, det(/ - A) = 0}| 

= ^1 GL2(Z/«)| - ^ |{A G GL2(F£) : the eigenvalues of ^ are 1 and a}| 

aeF^(f)=±l 

= - If {I + 1) - ^-^{e +£) + \{i± 1)1 

The rest is a direct calculation. □ 
Using (4.2), Lemma 4.5, and \H{Me)\ = \ Y{i,\Me I GL2(Z/^Z)| = 3n^|^ | GL2(Z/^Z)|, we have: 

\H{ME)r^^i{ME)\/\H{ME)\ _ 1 /-pr \yt\ + \y['\ TT 

n,|M,(l - 1/^) 3 • i 4|i I GL2(Z/«)|(1 - l/£) ^ li I GL2(Z/«)|(1 - l/£) 

- 3 V y V (£ - lf{l + 1) J + ii (£ - 1)3(£ + 1) 

3IU (,_l)3(,+ l)j^ 

^ " (^^WTI) ) + n F^^^^TTs) • 

Proposition 4.2 follows by combining this expression with (4.1) and noting that d = \D\. 

5. Example: = + 6x — 2 

In this section, we consider the elliptic curve E over Q defined by the Weierstrass equation 
y2 _ ^3 _j_ _ 2_ xhis curve is a Serre curve; for a proof, see [LT76, Part I §7]. 

The given Weierstrass model has discriminant A = —2^3^, and hence Q(\/A) has discriminant 
-3. By Proposition 4.2 and (2.4), 

(5-1) ^^.^ = yn(i 



0.5612957424882619712979385 . . 



(£-1)3(^ + 1) 

In the following table, the "expected number" of p < x with p f 6 such that |i?(Fp)| is prime is 

1 dv 
J 2 log(u+l)logu 
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rounded to the nearest integer. 



Table 1. 


Number 


oi p < X with p f 6 such that \E{¥p) 


is prime. 


X 


Actual 


Expected 


X 


Actual 


Expected 


20000000 


45285 


45592 


520000000 


810038 


810610 


40000000 


83272 


83564 


540000000 


837904 


838429 


60000000 


118991 


119317 


560000000 


865500 


866145 


80000000 


153257 


153735 


580000000 


893592 


893763 


100000000 


186727 


187209 


600000000 


921156 


921287 


120000000 


219604 


219958 


620000000 


948710 


948720 


140000000 


251728 


252123 


640000000 


975828 


976066 


160000000 


283381 


283799 


660000000 


1003310 


1003328 


180000000 


314686 


315058 


680000000 


1030626 


1030508 


200000000 


345255 


345953 


700000000 


1057836 


1057610 


220000000 


375910 


376526 


720000000 


1084734 


1084636 


240000000 


406162 


406810 


740000000 


1111877 


1111589 


260000000 


436059 


436833 


760000000 


1138685 


1138470 


280000000 


465712 


466619 


780000000 


1165267 


1165282 


300000000 


495338 


496186 


800000000 


1192027 


1192027 


320000000 


524820 


525552 


820000000 


1218668 


1218707 


340000000 


553850 


554731 


840000000 


1245563 


1245324 


360000000 


583047 


583736 


860000000 


1272004 


1271878 


380000000 


611978 


612577 


880000000 


1298490 


1298373 


400000000 


640571 


641265 


900000000 


1324972 


1324810 


420000000 


668855 


669809 


920000000 


1351413 


1351190 


440000000 


697006 


698216 


940000000 


1377897 


1377514 


460000000 


725494 


726493 


960000000 


1404065 


1403784 


480000000 


753548 


754648 


980000000 


1430213 


1430001 


500000000 


781819 


782685 


1000000000 


1456288 


1456166 



Remark 5.1. The predicted constant in [Kob88] was 9/10 -C^;^!. This would have led to a predicted 
value of ~ 1310549 in the last entry of Table 1. 

6. Example: y'^ = x^ + 9x + 18 

Let E be the elliptic curve over Q defined by the Weierstrass equation = + 9x + 18. The 
discriminant of our Weierstrass model is A = —2^3^. This is the curve mentioned in §1.1. It is not 
isogenous over Q to a curve with nontrivial Q-torsion (in the notation of §3, t^; = 1), but we have 
Ce,i = 0. We saw that |£^(Fp)| was divisible by 3 if p = 1 mod 4 and divisble by 2 if p = 3 mod 4. 
In this section we will give numerical evidence for Conjecture 1.2 with t G {2, 3, 6}. 

We now state, without proof, enough information about the groups G{m) so that one may com- 
pute the constants Ce,2-, Ce,3 and Ce^- 

• 2-torsion. We have G(2) = Aut(£;[2]). 

• 4-torsion. Viewing Aut(£'[2]) as the symmetric group on E[2] — {0}, let e: Aut(-E[4]) 
Aut(£'[2]) {il} be the signature homorphism. Let x be the non-identity character of (Z/4Z)^. 
Then Q(\/A) = Q{i) implies that G(4) is contained in the group 

{A G Aut(£;[4]) : e(A) = x(det(^))}, 
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and this is actually an equality. We then have 

P4(Gal(Q/Q(i))) = {A G Aut(S[4]) : e{A) = x(det(^)) = 1}. 

The maximal abelian extension of Q{i) in Q(i?[4]) is Q(i, a, \/6) where a is a root of + 9x + 18. 
(Group theory with G(4) tells us that it is a degree six extension of Q(i). In general, one always 
has <Q{i, VA) C Q{E[4]); for our curve VA) = Q{i, = Q{i, Vd).) 

• 3-torsion. Choose a Z/3Z-basis of E[3] whose first vector is P := (— 3,6i). Then with respect 
to this basis, G(3) = />3(Gal(Q/Q)) is the subgroup of upper triangular matrices in GL2(Z/3Z). 

• 9-torsion. The group G(9) is the inverse image of G{3) under the map Aut(-E[9]) — > Aut(£'[3]). 
The maximal abelian extension of Q(i) in Q(£^[9]) is Let /3: G{9) — > {±1} be the homo- 
morphism for which a{P) = (3{p^{a))P for ah a £ Gal(^/Q). 

• 36-torsion. We may view G(36) as a subgroup of G(4) x G(9), where we have already described 
G(4) and G(9). To work out G(36), one needs to know the field Q{E[4]) n Q{E[9]). We claim 
that Q(S[4]) n Q(^[9]) = Q(i). Suppose that Q{E[4]) n Q(£^[9]) ^ Q(i); then the solvability of 
G(4) implies that there is a nontrivial abelian extension L/Q{i) in Q(i?[4]) nQ(£'[9]). However the 
maximal abelian extension of Q(i) in Q(i?[4]) and Q(£'[9]) is Q(i, a, ^/Q) and Q{i, Cd), respectively. 
Thus L C Q{i, a, VG) n Q(z, Cg) = Q(,i)- We deduce that 

G(36) = {{A,B) G Aut(^[4]) x Aut(^[9]) : e{A) = x(det(A)) = P{B)} 

and 

P36(Gal(Q/Q)) = {{A,B) G Aut(i?[4]) x Aut(i?[9]) : e{A) = x(det(^)) = P{B) = l}. 

• 5-torsion. The group G{5) is the unique subgroup of Aut(£^[5]) of order 96. The image in 
PGL2(Z/5Z) is isomorphic to the symmetric group S4 (this is one of the exceptional cases in 
[Ser72, Prop. 16]). The maximal abelian extension of Q in (^(^^[S]) is Q(C5)- 

• ^-torsion, I > 7. For every prime £ > 7, we have G{£) = Aut{E[i]). Group theory shows that 
for any squarefree positive integer m relatively prime to 2 • 3 • 5, we have G{m) = H^im ^^^(-^M)- 
The maximal abelian extension of Q in Q(£^[m]) is Q(Cm)- 

• For any squarefree positive integer m relatively prime to 2 • 3 • 5, we claim that 
(6.1) ^) = G(36) X G(5) X n , Aut(i?M). 

■'■■'■£\m ■'■■'-t\m 

Since G(36) and G(5) are solvable, it suffices to show that the maximal abelian extensions of Q 
in Q(£'[36]), Q(ii^[5]), and Q{E[m]) are pairwise linearly disjoint over Q (this is clear since the 
intersection of any two of these fields is an unramified extension of Q). 



Take any t £ {2,3,6}. From the above description, we may apply Proposition 2.4 with M = 30 
to obtain 

^i;,t(36-5) -p./ f-£-l 
^12.3.5(1- 1/^)47^ {£-l)H£ + l) 
Since G(36 • 5) = G(36) x G(5), we have 

. 6E,tm SE,t{^) YT(. £^-£-l 

(1 - 1/2)(1 - 1/3) 1 - 1/5 |U {£ - iri£ + 1)J- 

We have 6E,t{5) = Se,i{5) since t is relatively prime to 5, and using our description of G{5) one can 
show that 6E,t{^) = 5e,i{5) = 77/96. Hence 



r A r-^R^1232^/ £^-£-1 



219 iiV (£-1)3(^ + 1) 
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Using our description of G(36), one can show that (5£;^2(36) = 1/8, 5E,3{'i6) = 5/27, and SEfii^G) 
1/12. We record the resulting constants in the next lemma. 

Lemma 6.1. For the elliptic curve E over Q defined by = + 9x + 18, we have 

^ 154 6160 . ^ 308 . 

where <t = l\iU ^'"^"^ 



In the following table, the "expected number" of p < x with p f 6 such that \E{¥p)\/t is prime is 

1 du 
t+i log(u + 1) logn 



(6.2) Ce„ 



rounded to the nearest integer, where CE,t is estimated using Lemma 6.1 and (2.4). 



Table 2. Number oi p < x with p \ 6 such that \E{¥p)\/t is prime. 





J. o 

1 = 2 




1 = 3 




t = b 




X 


Actual 


Expected 


Actual 


Expected 


Actual 


Expected 


40000000 


55118 


55244 


83736 


84036 


39554 


39634 


80000000 


101556 


101444 


154113 


154134 


72535 


72537 


120000000 


145334 


144995 


220046 


220165 


103413 


103490 


160000000 


187516 


186949 


283458 


283747 


133307 


133271 


200000000 


228440 


227774 


345198 


345597 


161983 


162224 


240000000 


268461 


267730 


405675 


406118 


190166 


190543 


280000000 


307911 


306986 


464711 


465565 


217926 


218348 


320000000 


346499 


345657 


523022 


524117 


245405 


245727 


360000000 


384950 


383827 


580584 


581901 


272350 


272739 


400000000 


422640 


421560 


637825 


639017 


299112 


299433 


440000000 


459555 


458907 


694394 


695541 


325385 


325845 


480000000 


496734 


495907 


750663 


751535 


351567 


352005 


520000000 


533405 


532594 


806485 


807050 


377507 


377936 


560000000 


570295 


568996 


861533 


862129 


403533 


403659 


600000000 


606622 


605135 


916370 


916807 


428958 


429192 


640000000 


642830 


641032 


970514 


971114 


454130 


454548 


680000000 


678475 


676705 


1024511 


1025079 


479230 


479741 


720000000 


713909 


712169 


1077829 


1078722 


504194 


504782 


760000000 


749026 


747436 


1130770 


1132066 


529125 


529680 


800000000 


784432 


782518 


1183934 


1185128 


553804 


554443 


840000000 


819581 


817427 


1236561 


1237925 


578378 


579081 


880000000 


854213 


852172 


1288783 


1290470 


603045 


603599 


920000000 


888701 


886761 


1341501 


1342777 


627523 


628004 


960000000 


923138 


921202 


1393453 


1394859 


651810 


652301 


1000000000 


957322 


955502 


1445188 


1446724 


675851 


676497 



7. CM EXAMPLE: y'^ = x^ — X 

Let E be the elliptic curve over Q defined by the Weierstrass equation = x^ — x. This curve has 
complex multiplication hj R = Z[i], where i corresponds to the endomorphism (x,y) i— > {—x,iy) 
defined over Q{i). The curve E has conductor 2^. 
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The torsion group -E'(Q(«))tors has order 8 and is generated by {i, 1 — i) and (1, 0). So for those 
primes p that spht in Q(i) (i.e., p = 1 mod 4), we find that |-E(Fp)| is divisible by 8. In this section, 
we give numerical evidence for Conjecture 1.2 with t = 8. We will study it in the form given in 
(2.6), which conjectures that 

(7.1) \{p<x:p=lmod 4, |^(F.)|/8 is prime}] ^^l- / — ^ -— 

^ ^ ^ ' y f\ 2 Jg log(n+l)-log8 logn 

as X ^ oo (we have used the integral version of the conjecture since it should give a better 
approximation). This particular curve was studied by Iwaniec and Jimenez Urroz in [IJU06] where 
they proved that 

X 

\{p < X : p = 1 mod 4, |£^(F.p)| /8 is a prime or a product of two primes}! ^ — rr^ 

(log x)^ 

using sieve theoretic methods. We now describe the constant CEQf^^-),8' 

Lemma 7.1. Let E he the elliptic curve over Q given by y'^ = x^ — x. Then 

tt/ i"^ — £ — I \ 

where x(^) = (-l)^^-^)/^, h^ve Ce^^^^s ~ 1.067350894. 

Proof. Since E has conductor 2^, the curve -EQ(i) has good reduction away from the prime (1 + i). 
For the curve -E'Q{j), fix notation as in the proof of Proposition 2.7 (in particular, K = F = Q{i) 
and R = Z[i]). Checking the two conditions in the second half of the proof of Proposition 2.7, we 
find that the Proposition holds for -EQ(i) with M = 2. 

The discriminant of Q(i) is —4 and the conductor of the order R is 1, so by Proposition 2.8 we 
have 

_ (^E,,),8(16) / 

(1 _ 1/2) U I ;^(£))(£ _ 1)2 

where x is the Kronecker character of Q{i) (and hence x(^) = (— 1)^^"^^/^). To prove the re- 
quired product description of Ceq^^^s, it remains to show that dEfj^^-^^si^^) — 1/2- Consider the 
representation 

P2- Gal(Q(i)/Q(i)) ^ (iJ^Za)^ = {M^T 
arising from the Galois action on the Tate module T2{E). It is well known that p2 has image equal 
to 1 + p2 where p2 is the prime ideal (1 + i)Z2[i] (for example, see [KS99, 9.4]). In particular, 

G(16) =pi6(Gal(Q«/Q(i))) = (l + pi)/(l + I6Z2H) = {l + pi) / {l + pi) . 

Under our identification of Aut^^Ii] (^2(-E)) with Z2[i]^ , we find that det(/ — a) agrees with N{l — a) 
where N is the norm map from Z2[i] to Z2. We deduce that (5£;q(^j^8(16) is the proportion of 
a G (1 + pf)/(l + p|) for which N{1 - a) = 8 mod 16; this is indeed equal to 1/2. 
With respect to how one estimates the constant, we simply note that 

^^-i-i \/, x( 



CE,s = L{i,x)-'Yl[^-^(^h 



ii-xm^-^V' 

The product is now absolutely convergent and L(l, x) = 7r/4 by the class number formula. □ 



In the following table, the "Actual" column is the value of the left hand side of (7.1), while the 
"Expected" column is the right hand side of (7.1) with the approximation from Lemma 7.1. 
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Table 3. Number oi p < x with p = 1 mod 4 such that |£'(Fp)|/8 is prime. 



X 


Actual 


Expected 


X 


Actual 


Expected 


20000000 


49847 


50063 


520000000 


865909 


866300 


40000000 

vy v_/ \j Kj \j Kj \j 


91074 


91134 


540000000 

\J^I.\j KJ KJ KJ \J KJ \J 


895323 

w \J KJ ^ \j 


895804 

KJ \J KJ KJKJ^I 


60000000 


129660 


129648 


560000000 

\J KJ \J KJ \J KJ \J KJ \J 


924773 


925193 

\J ^ KJ kJ KJ 


80000000 

w \J KJ \J KJ \J KJ \J 


166429 


166631 

-i- KJ \J KJ ' ' J- 


580000000 

\J KJ \J KJ \J KJ \J KJ \J 


954215 


954472 


100000000 

J- \J KJ \J KJ \J KJ \J KJ 


202316 


202534 


600000000 

KJ KJ \J KJ \J KJ \J KJ \J 


983415 


983645 

\J KJKJKJ^^KJ 


120000000 


237402 


237612 


620000000 


1012618 


1012717 


140000000 

i KJ \J KJ \J KJ \J KJ 


271865 


272024 


640000000 

\J^T.\J KJ \J KJ \J KJ \J 


1041478 


1041691 


160000000 


305749 


305882 


660000000 

KJ KJ \J KJ \J KJ \J KJ \J 


1070519 

KJ 1 KJ \J J- %J 


1070571 

A^\J 1 KJKJ 1 J- 


180000000 


338987 


339266 


680000000 


1099310 


1099359 


200000000 


372142 


372237 


700000000 


1127947 


1128060 


220000000 


404768 


404844 


720000000 


1156596 


1156676 


240000000 


437027 


437124 


740000000 


1185077 


1185209 


260000000 


469002 


469110 


760000000 


1213434 


1213663 


280000000 


500848 


500827 


780000000 


1241996 


1242040 


300000000 


532345 


532298 


800000000 


1270215 


1270341 


320000000 


563613 


563542 


820000000 


1298419 


1298570 


340000000 


594570 


594575 


840000000 


1326489 


1326728 


360000000 


625409 


625412 


860000000 


1354726 


1354817 


380000000 


656138 


656065 


880000000 


1382946 


1382839 


400000000 


686710 


686546 


900000000 


1410787 


1410796 


420000000 


716542 


716864 


920000000 


1438522 


1438689 


440000000 


746751 


747028 


940000000 


1466143 


1466520 


460000000 


776709 


777047 


960000000 


1493786 


1494291 


480000000 


806405 


806928 


980000000 


1521276 


1522003 


500000000 


836080 


836677 


1000000000 


1548766 


1549657 



8. Example: Xo(ll) 

In this section we consider the elliptic curve E = Xo(ll) defined over Q. The modular interpreta- 
tion of Xo(ll) is not important for our purposes; it suffices to know that y"^ + y = x^ — x"^ — lOx — 20 
is a minimal Weierstrass model for E/Q. The curve E has conductor 11 and hence has good reduc- 
tion away from 11. By Theorem 3.2, tE divides [^^(Fp)! for each prime pf 2 • 11; since |£'(F3)| = 5, 
we deduce that tE divides 5. The rational point = (5,5) of E has order 5, and thus 5 divides 

tE- We deduce that tE = 5 and in particular that -E(Q)tors is generated by (5,5). In this section 
we shall test Conjecture 1.2 with t = tE = 5. 

Lang and Trotter have worked out the Galois theory for this elliptic curve, and in particular 
have shown that Theorem 2.3 holds with M = 2 • 5 • 11 (see [LT76, Part I, §8] for fuU details). By 
Proposition 2.4, we have 

r - '^i^,5(2-5^-ll) T-r 

r r2 N 345600 T-r / £"^-£-1 

= 5i.,5(2-5 -11)^^ 11(1 -(731)3(7^1) 
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We shall now describe the structure of the group G{2 • 5^ • 11) and then compute 5£;,5(2 • 5^ • 11). 
Those not interested in this computation can skip ahead to the data. 

For ah £ / 5, we have G{£) = Aut(^[^]). There is a basis of ^[5^] over Z/25Z for which ^(5^) 
becomes the group 



{ 5c^" t!) • ^' c ^ Z/25Z, u G (Z/25Z) ^ | 



To ease computation, identify G(5^) with this matrix group. Fixing a basis, we can also identify 
G(2) and G(ll) with the fuh groups GL2(Z/2Z) and GL2(Z/11Z) respectively. 

Let e: G{2) — > {±1} be the signature map (i.e, compose any isomorphism G{2) = 63 with the 
usual signature), and define the homomorphisms 

0ii: G(ll) ^Fi^i/{±1}, A^±det{A) 

and 

a: G(52) ^ Z/5Z, {^tc" u) ^ ^ mod 5. 
The group F^j^/{ibl} is cyclic of order 5 with generator ±2, so it makes sense to define a homomor- 
phism 05: G(52) ^ Ffi/{±1} by 

05(A) = (±2)-(^). 

We have a natural inclusion G{2 ■ 5^ • 11) C G{2) x G(5^) x G(ll), which gives us the following 
description of G{2 • 5^ • 11): 

G{2 . 52 . 11) = {(^2, A,, All) G G(2) X G(52) x G(ll) : ^5(^5) = MAn), (^^^) = 6(^2)} . 
Lemma 8.1. |G(2 • 5^ • 11)| = 19800000. 

Proof. We first use the fact that e surjects onto {±1}, and |G(2)| = 6. 
|G(2 • 52 . 11)1 = [{(^2,^5, An) G G(2) X G{5') x G(ll) : ^(^5) = 4>{Au), {^^^) = e{A2)}\ 
= 3 • \{{A,,An) G G(52) x G(ll) : ^(^5) = <t>{An), {^^^) = 1}\ 
+ 3 • \{{A,,An) G G(52) x G(ll) : ^(^5) = <P{An), (^^^) = -1}| 
= 3 • |{(A5, An) G G(52) X G(ll) : ^(^5) = 0(An)}| 
We now use that 05 and 0n surject onto a common group of order 5. 

|G(2 • 52 . 11)1 = 3 • |{(A5, An) G G(52) x G(ll) : ^{A^) = 0(An)}| 

= 3|G(52)||G(ll)|/5 = 3(5^ • 20)(ll2 - l){n'^ - ll)/5 = 19800000 □ 

Lemma 8.2. Se,5{2 ■ 5^ • 11) = 9/50. 

Proof. To ease notation, define i3(m) := G(m)n*I't(m). First note that an element ^ G GL2(Z/2Z) = 
G(2) is in B{2) if and only if det(/ - A) = det(A) = 1. One quickly verifies that B{2) = 
{(lo)'(ii)} - These two elements have order three, so e(A) = 1 for all A G -S(2). 

\B{2 • 52 . 11)1 = |{(^2, As, An) G B{2) x ^(5^) x ^(11) : 0(^5) = 0(An), {^^^) = e{A2)}\ 
= 2 • |{(^5, An) G e(52) X B{U) : 0(^5) = 0(An), det(An) G (Ff,)2}| 
= 2 Yl ^ ^(^2) : 05(A) = x}\ ■ \{A G B{U) : 0n(A) = x,det(A) G {¥^i)^}\ 
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Take any A = ( i+f G G(5). We have det(/ - A) = 5a(u - 1) G t£;(Z/25Z)^ = 5(Z/252 
if and only if a ^ (mod 5) and u^l (mod 5). Given a G 'L/b'L, we find that 



|{^G^(52) :a(^) =a}| -- 
and hence for 5 G F^j^, 

|{^ G ^(5^) : cl>^{A) = ±b}\ 



52 . 15 = 375 if a ^ (mod 5) 
ifa = (mod 5), 



375 if 6 / ±1 
if6 = ±l. 



Our expression for \B{2 ■ 5 • 11) | thus simplifies to the following, 

15(2-52 • 11)1 = 750 \{A £B (11) :(j)u{A) =x, det{A) £ {¥^^f}\. 

xeFfi/{±i}~{{±i}} 

Take any x G F^j^/{ibl}. Since —1 is not a square in F^-^, the class x contains a unique element 

b. G {¥^,r. 

\{A G 5(11) : 011 (A) = X, det(^) G (Ffi)2}| = \{A G 5(11) : det(^) = 
So our expression for |5(2 • 5^ • 11) | simplifies further to 

|5(2- 52 • 11)1 = 750 |{A G GL2(Fii) : det(A) = 6, det(/-^) / 0}|. 

6G{Fri)2-{l} 

Using Lemma 2.5, we obtain 

15(2-52.11)1= 750 Yl (|GL2(Fii)|/10- (11^ + 11) 

fee(Ff,)2-{i} 

= 750 • 4 • ((11^ - l)(ll2 - 11)/10 - (11^ + 11)) = 3564000. 
Therefore using the previous lemma, we have 

6e,5{2 ■ 52 • 11) = |5(2 • 52 • 11)|/|G(2 • 52 • 11)1 = 3564000/19800000 = 9/50. □ 

We finally describe the constant Cxo{ii),5 from Conjecture 1.2. Lemma 8.2 and (8.1) imply that 

(8-2) C^o(ll),5 - 11(^1 - 1)3(^+1) 

In the following table, the "expected number" p < x with p ^ 11 such that |Xo(ll)(Fp)|/5 is 
prime is 



^•3) Cx„(ii),5 / 

J6 



du 



log(u + 1) — log 5 log u 



rounded to the nearest integer, where Cxo(ii),5 is estimated using (8.2) and (2.4). 
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Table 4. Number of p < x with p ^ 11 such that |Xo(ll)(Fp)|/5 is prime. 



X 


Actual 


Expected 


X 


Actual 


Expected 


20000000 


36051 


36091 


520000000 


629151 


628797 


40000000 

vy v_/ \j Kj \j Kj \j 


66143 


65814 


540000000 

\J^I.\J KJ \J KJ \J KJ \J 


650676 

\J^\J KJ 1 KJ 


650253 

KJ ^ \J ^ KJ 


60000000 


94050 


93715 


560000000 

\J \J \J KJ \J KJ \J KJ \J 


671998 

KJ 1 \J %J KJ 


671626 

KJ 1 -L\J^\J 


80000000 

w \J KJ \J KJ \J KJ \J 


120806 

A ^ \JKJ\J\J 


120523 


580000000 

\J KJ \J KJ \J KJ \J KJ \J 


693377 

KJ kJ KJ\J I 1 


692921 


100000000 

J- \J KJ \J KJ \J KJ \J KJ 


146748 


146560 


600000000 

KJ KJ \J KJ \J KJ \J KJ \J 


714783 


714139 


120000000 


172172 


172007 


620000000 


735972 


735285 


140000000 

i KJ \J KJ \J KJ \J KJ 


197180 


196979 

-i- \j \j \j \ \j 


640000000 

\J^T.\J KJ \J KJ \J KJ \J 


756879 


756360 

f ^ KJKJKJKJ 


160000000 


221586 


221554 


660000000 

KJ KJ \J KJ \J KJ \J KJ \J 


777830 


777368 


180000000 


245768 


245790 


680000000 


798736 


798311 


200000000 


269776 


269730 


700000000 


819665 


819190 


220000000 


293290 


293410 


720000000 


840621 


840008 


240000000 


316771 


316855 


740000000 


861196 


860768 


260000000 


340034 


340090 


760000000 


881992 


881470 


280000000 


363448 


363133 


780000000 


902549 


902117 


300000000 


386413 


385999 


800000000 


923181 


922709 


320000000 


409103 


408703 


820000000 


943660 


943250 


340000000 


431644 


431255 


840000000 


964135 


963740 


360000000 


453854 


453667 


860000000 


984561 


984180 


380000000 


476378 


475947 


880000000 


1005037 


1004572 


400000000 


498621 


498103 


900000000 


1025528 


1024917 


420000000 


520651 


520143 


920000000 


1045814 


1045217 


440000000 


542604 


542072 


940000000 


1066059 


1065472 


460000000 


564364 


563898 


960000000 


1086151 


1085683 


480000000 


586046 


585624 


980000000 


1106398 


1105852 


500000000 


607563 


607255 


1000000000 


1126420 


1125980 



Remark 8.3. The term log 5 in (8.3) is numerically important. For example, we find that Cxo(ii),5 " 

/g "" {login + 1) log u)~^du w 1033120, which is a worse approximation of i-Xo(ii),5(10^) than that 
given in Table 4. 

9. Recent progress 

We briefly describe some of the progress that has been made on Koblitz's conjecture. This very 
short survey is not meant to be exhaustive and sometimes we only state special cases of results; 
one should consult the cited papers for more details and developments. In this section, we limit 
ourselves to elliptic curves defined over Q. 

First of all, there are currently no examples where Conjecture 1.2 is known to hold besides those 
trivial cases where CE,t = (and thus have a congruence obstruction). Moreover, there are no 
known examples of elliptic curves E and integers t for which lim3;^oo PE,t{x) = oo. 

Much of the recent progress has been made by applying methods from sieve theory (including 
methods that were used to study twin primes or Sophie Germain primes). Recall that the conjecture 
that there are infinitely many Sophie Germain primes is equivalent to there being infinitely many 
primes p for which {p — l)/2 is prime (this is an analogue of Conjecture 1.2 with = Q, t = 2 and 
E replaced by the group scheme Gm)- 
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9.1. Non-CM curves. Let E be an elliptic curve over Q without complex multiplication. Miri 

and Murty [MMOl] showed, assuming GRH, that there are 3> x/{logx)'^ primes p < x for which 
|£'(Fp)| has at most 16 prime divisors. Steuding and Weng [SW05, SW05b] improved this to 9 
factors. Assuming GRH and = 1, David and Wu [DW08] have shown that 

X 

\{p < X : |£^(Fp)| has at most 8 prime factors}! > 2.646 • Ce ly. ttt 

' (logx)^ 

for X 1, where Ce,i is the constant of Conjecture 1.2. 

We now mention some upper bounds obtained under GRH (though weakening of this conjecture 
can also be used). Cojocaru [Coj05] proved that Pe,i{x) <C x/{logx)^; which of course should 
be the best possible general bound, up to improvement of the implicit constant. David and Wu 
[DW08] have shown that for any e > 0, one has 

Pe.1 < (10 + e)C£;,i— 

(log x)^ 

for all x ':$>E,£ 1- In the general setting of Conjecture 1.2, one has the bound 

PeA^) < (22 + o{l))CE,tjr^^ 

(log xj^ 

where the o(l) term depends on E and t; this is Theorem 1.3 of [Zyw08b] (this theorem uses t = Ie, 
but the proof carries through for general t). 

For unconditional upper bounds, Cojocaru [Coj05] proved that PE,iix) <C x/(logxlogloglogx). 
This can be strengthened to Pea{x) < (24+o(l))C£;^i-x/(log x log log x), see [ZywOSb, Theorem 1.3]. 
However, this is still not strong enough to prove that 

E- < oo 
P 

p, |i?(Fp)| is prime 

(which would be the analogue of Brun's theorem that J2p and p+2 are prime < 

9.2. CM elliptic curves. Now consider a CM elliptic curve E over Q. If t^; = 1, then Cojocaru 
[Coj05, Theorem 4] has shown that 

X 

\{p < X : |£'(Fp)| has at most 5 prime factors}! — 

(log x)^ 

(note that this theorem does not depend on GRH). If E has CM by the maximal order Of of an 
imaginary quadratic extension F/Q, then Jimenez Urroz [JU08] has proved that 

X 

\{p < X : p splits in F, \E(¥p)\/tEp has at most 2 prime factors}! » 



(log x)2 

(this extends a result of Iwaniec and Jimenez Urroz mentioned at the beginning of §7). 

9.3. The conjecture on average. We now consider the functions Pe,i{x) averaged over a family 
of elliptic curves. Fix a > 1/2 and /3 > 1/2 with a+/3 > 3/2. Let J'{x) be the set of (a, b) G with 
\a\ < x" and \b\ < x^ for which 4a^ + 27b'^ / 0. For (a, 6) G -F(x), let E{a,b) be the elliptic curve 
over Q defined by the affine equation = + aX + b. Balog, Cojocaru, and David [BCD07] 
have proved that 
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as X — > oo, where £ = JJ(l — jj — + 1) ^ " ^^^^ ^^^^ Koblitz's conjecture holds 



■ on average 



9.4. The constant on average. Assuming a positive answer to a question of Serre^, Jones 
[Jon09b] proved that (9.1) is also true on the level of constants; i.e., 

lim ] V CE(a,b),i = ^■ 

Finally, we explain how this can be proven unconditionally (we state it in a fashion similar to 
[Jon09b, Theorem 6]). 

Proposition 9.1. Let J^{x) be the set of{a,b) G with \a\ < x and \b\ < x such that Aa"^ + 27b'^ 7^ 
0. Then there is an absolute constant 7 > such that for any integer k > 1, we have 

1 \ - 1^ ^ifc (logx)''' 

Proof. (Sketch) We first consider a fixed non-CM elliptic curve E over Q. Let M be the positive 
squarefree integer for which £ f M if and only if £ > 5 and G{t} 5 SL2(Z/£Z). Some group theory 
shows that 

G{Mm) = G{M) X ]^Aut(S[£]) 

l\m 

for any squarefree integer m relatively prime to M. By [Mas98, Theorem 3], there is an absolute 
constant k > such that 

M < mayi{l,h{EY} 

where h[E) is the logarithmic absolute semistable Faltings height of E. By [Sil86], we have h{E) <C 
h{jE) where Je is the j-invariant of E and h is the usual height of a rational number. 
By Proposition 2.4 with the above M, 

'"'■-n,M(i-wn/'"(f-iw+i))-n(i-w ■ 

If y is the smallest prime for which n^<?/ ^ — then 

n(l - 1/^)"' < 11(1 - l/£)-i « logy 

e\M e<y 

where the last inequality follows from Mertens' theorem. So 

Ce,i < log y < log ( ^ log e) < log log M. 

Therefore, for any non-CM elliptic curve over Q we have 

(9.2) Ce,i < log log log{h{jE) + 16) 

(the 16 is added simply to make sure the right-hand side is alway well-defined and positive). One 
can also check that Ce,i <C 1 for CM elliptic curves E/Q. 



^Does there exists a constant C such that for any non-CM eUiptic curve E/Q, we have pf(Gal(Q/Q)) — GL2(Z/ffl) 
for all primes £ > CI 
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Let S{x) be the set of (a, 6) G ^{x) for which E(a,b) is a Serre curve (cf. §4). Theorem 10 of 
[Jon09b] imphes that 

(9.3) ^ E |C,(,,,-e:|^«.ii^^; 

a key point is that the difference CE(a,b),i ~ *^ has a nice description (cf. Proposition 4.2). 
For each (a, 6) G J^{x), we have /i(i_B(a,6)) ^ logx. Therefore by (9.2) we have 



By [Jon09, Theorem 4], there is a constant /3 > such that |.F(a;) — S{x)\/\T{x)\ <^ (logx)^ /^/x. 
Therefore 

(9-4) ^7-^ 2^ |Ci<;(a,6),i - e:| «fc — 1^ 

for some constant (3 > 0. The proposition fohows immediately by combining (9.3) and (9.4). □ 
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